Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / slpd-lite / eebd0815512b9987c2e5c65e6bd78ab467c39c4a^! / . / main.cpp
commiteebd0815512b9987c2e5c65e6bd78ab467c39c4a[log] [tgz]
authorAndrew Geissler <geissonator@yahoo.com>Fri May 24 10:05:27 2024 -0500
committerAndrew Geissler <geissonator@yahoo.com>Tue May 28 15:25:42 2024 -0500
tree0256f33cedaaf918d0ebca544a1e9c459b6962c5
parentc668313e9ff39b606410ed4b0208f9c1ab36ccba [diff] [blame]
Only allow a maximum packet size of 255 bytes

This code was written with an assumption that the input/output buffer
sizes would not exceed 255 bytes. The assumption can be seen throughout
the code where it is using a "uint8_t" for size calculations when doing
offsets into the data buffers.

As this application was written for OpenBMC and the service list
provided by OpenBMC is very minimal, supporting a maximum request
buffer of 255 bytes is a fine assumption. Just need to enforce it.

Without this change, very unexpected things can happen with uint8_t
overflow issues when a packet size greater then 255 bytes is passed in
or created internally.

Tested:
- Verified a request with a packet size over 255 bytes is rejected

Change-Id: Icec15fe100d6514a3309fa89e9f79d565de05553
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

diff --git a/main.cpp b/main.cpp
index 6df25ec..9212820 100644
--- a/main.cpp
+++ b/main.cpp

@@ -25,25 +25,37 @@
         return rc;
     }
 
-    switch (recvBuff[0])
+    // This code currently assume a maximum of 255 bytes in a receive
+    // or response message. Enforce that here.
+    if (recvBuff.size() > slp::MAX_LEN)
     {
-        case slp::VERSION_2:
-        {
-            // Parse the buffer and construct the req object
-            std::tie(rc, req) = slp::parser::parseBuffer(recvBuff);
-            if (!rc)
-            {
-                // Passing the req object to handler to serve it
-                std::tie(rc, resp) = slp::handler::processRequest(req);
-            }
-            break;
-        }
-        default:
-            std::cout << "SLP Unsupported Request Version=" << (int)recvBuff[0]
-                      << "\n";
+        std::cerr << "Message size exceeds maximum allowed: " << recvBuff.size()
+                  << " / " << slp::MAX_LEN << std::endl;
 
-            rc = static_cast<uint8_t>(slp::Error::VER_NOT_SUPPORTED);
-            break;
+        rc = static_cast<uint8_t>(slp::Error::PARSE_ERROR);
+    }
+    else
+    {
+        switch (recvBuff[0])
+        {
+            case slp::VERSION_2:
+            {
+                // Parse the buffer and construct the req object
+                std::tie(rc, req) = slp::parser::parseBuffer(recvBuff);
+                if (!rc)
+                {
+                    // Passing the req object to handler to serve it
+                    std::tie(rc, resp) = slp::handler::processRequest(req);
+                }
+                break;
+            }
+            default:
+                std::cout << "SLP Unsupported Request Version="
+                          << (int)recvBuff[0] << "\n";
+
+                rc = static_cast<uint8_t>(slp::Error::VER_NOT_SUPPORTED);
+                break;
+        }
     }
 
     // if there was error during Parsing of request